[rjbwork]

If you or your IT dept is not installing updates, especially security patches, over 2 months after they come out, somethings horribly wrong.

[unpatchedyay]

Posting from a throwaway for obvious reasons, but the place where I work still hasn't applied these patches after I warned their IT dept about the NSA vulns a month ago... luckily I'm at least able to apply the patch to my own system manually. If it hits us I'm pretty sure we're screwed on the order of a few thousand systems.

[dorian-graph]

The reality is, this is very common.

[rjbwork]

Then what, realistically, can be done when nation-state knowledge of vulnerable systems is hoarded for cyber-warfare purposes?

[criley2]

Frankly, there is only one solution I can see anymore:

Laws must be passed to:

* Force the US government to report vulnerabilities to vendors

* Create a regulatory body to monitor the use of vulnerabilities in clandestine operations and ensure that mandatory reporting is upheld

I cannot see anything less working.

Get that through US and EU governments, and you'll likely have the vast majority of vulnerabilities being reported and patched.

Of course this is akin to asking the US and Russia to convert their nuclear stockpile into reactor fuel.